CVE-2025-66208
📋 TL;DR
CVE-2025-66208 is a critical OS command injection vulnerability in Collabora Online's built-in CODE server (richdocumentscode proxy). It allows remote attackers to execute arbitrary commands on the server by exploiting proxy.php through an intermediate reverse proxy. This affects Nextcloud users with the Collabora Online - Built-in CODE Server app installed.
💻 Affected Systems
- Collabora Online - Built-in CODE Server (richdocumentscode)
- Nextcloud with Collabora Online - Built-in CODE Server app
📦 What is this software?
Online by Collabora
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with server privileges, potentially leading to data theft, ransomware deployment, or complete server takeover.
Likely Case
Remote code execution leading to unauthorized access, data exfiltration, or installation of backdoors on vulnerable servers.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and strict access controls are implemented to block malicious requests.
🎯 Exploit Status
The advisory suggests exploitation requires specific proxy configurations but doesn't detail exact prerequisites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.04.702
Vendor Advisory: https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf
Restart Required: Yes
Instructions:
1. Update Collabora Online - Built-in CODE Server to version 25.04.702 or later. 2. Restart the Collabora Online service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable or restrict proxy.php access
allTemporarily block or restrict access to the vulnerable proxy.php endpoint via web server configuration or firewall rules.
# Example for Apache: RewriteRule ^/proxy\.php$ - [F]
# Example for Nginx: location ~ /proxy\.php$ { deny all; }
Implement WAF rules
allDeploy web application firewall rules to detect and block command injection attempts targeting the proxy endpoint.
🧯 If You Can't Patch
- Isolate the Collabora Online server in a restricted network segment with no internet access.
- Implement strict network access controls to limit which systems can communicate with the Collabora Online proxy endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the Collabora Online version via admin interface or by examining installed packages. If version is below 25.04.702, the system is vulnerable.Check Version:
# For Linux systems with package manager: dpkg -l | grep collabora-online OR rpm -qa | grep collabora-onlineVerify Fix Applied:
Confirm the Collabora Online version is 25.04.702 or higher after applying the update.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to proxy.php with shell metacharacters or command injection patterns
- Unexpected process executions from the Collabora Online service user
Network Indicators:
- Suspicious outbound connections from the Collabora Online server to external IPs
- Unusual traffic patterns to/from the proxy.php endpoint
SIEM Query:
source="collabora_logs" AND uri="/proxy.php" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*" OR command="*&*" OR command="*>" OR command="*<*")